Tackling software security in the development phase


Last week in this space I questioned the need for greater government intrusion into private computer networks in the name of cybersecurity, when so little seems to be taking place to fix one of the biggest security culprits: insecure software. This week, I am pleasantly surprised to report on an important first step the government has taken to address that very culprit.

The Federal Trade Commission announced a settlement with HTC America Friday requiring the company to develop patches for software vulnerabilities in millions of smartphones and tablets it sold. More importantly, HTC America has to come up with a program to tackle security risks during the product development phase. And, for the next 20 years, it has to submit to an independent security assessment every other year. The company, whose parent headquarters are in Taiwan, agreed to these burdens to settle charges that it did not take reasonable steps to secure its software and, in fact, introduced flaws that put sensitive data at risk. The settlement did not include a fine or other monetary penalty.

The FTC's complaint charged HTC America with not giving its engineers adequate security training, not testing software for potential security flaws, not adhering to widely accepted coding practices, not having a process for addressing reports of vulnerabilities and other security failures. The commission found numerous vulnerabilities in HTC devices, including a coding flaw that allowed unauthorized access to logging apps, and one that let third-party apps get around Android's security model.  Malicious apps had the potential to record audio from a device, send text messages to it and download other malware without the user's awareness.

The commission seemed to be particularly displeased about the user manual for HTC Android devices and the user interface for its Tell HTC app, both of which it called deceptive. The security flaws in HTC Android devices, in both cases, thwarted the very consent processes designed to protect sensitive data, the FTC complained.

HTC America didn't issue a public statement in conjunction with the settlement last week, but it did email this response to seemingly every news outlet that asked: "Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. We're working to roll out the remaining software updates now and recommend customers download them once available."

What's most vital to me about the HTC America settlement is the requirement to deal with security risks from the outset when designing new devices. This is a sensible and far-sighted requirement. Unfortunately, HTC America is far from alone in its failure to bake security into product development. One can only hope that other vendors will be called to task as well. It wouldn't be fair--or especially useful--if HTC were singled out, even though its own particular failures were related to the disclosure of the secretive Carrier IQ logging software back in 2011. The existence of the controversial Carrier IQ program was made public when a security researcher demonstrated how it was logging keystrokes on his HTC Android device. While many manufacturers, including Motorola and Samsung, installed Carrier IQ on their devices--at the request of carriers, including AT&T (NYSE: T), Sprint (NYSE: S) and T-Mobile--HTC's vulnerabilities allowed third-party apps to access sensitive information, according to the FTC.

This is the first time the FTC has pursued a case centered on software security, and it says it is just one step in an ongoing initiative to get vendors to secure their offerings. While we await the next step, industry needs to boost its role here as well. Let me know what measures your company is taking to ensure the security of the software you purchase. - Caron

Filed Under